rpm/xen
SHA256
1
0
Fork 0
forked from pool/xen
Code Pull Requests Activity
xen/CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch
Charles Arnold 6636a216d1 - bsc#969125 - VUL-0: CVE-2015-8817: xen: OOB access in 
address_space_rw leads to segmentation fault (I)
  CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch
- bsc#969126 - VUL-0: CVE-2015-8818: xen: OOB access in
  address_space_rw leads to segmentation fault (II)
  CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=407
2016-03-02 22:05:55 +00:00

54 lines
2.2 KiB
Diff
Raw Blame History

References: bsc#969125 CVE-2015-8817
Subject: exec: Respect as_translate_internal length clamp
From: Peter Crosthwaite peter.crosthwaite@xilinx.com Mon Mar 16 22:35:54 2015 -0700
Date: Mon Apr 27 18:24:19 2015 +0200:
Git: 23820dbfc79d1c9dce090b4c555994f2bb6a69b3
address_space_translate_internal will clamp the *plen length argument
based on the size of the memory region being queried. The iommu walker
logic in addresss_space_translate was ignoring this by discarding the
post fn call value of *plen. Fix by just always using *plen as the
length argument throughout the fn, removing the len local variable.
This fixes a bootloader bug when a single elf section spans multiple
QEMU memory regions.
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-Id: <1426570554-15940-1-git-send-email-peter.crosthwaite@xilinx.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/exec.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c
@@ -363,7 +363,6 @@ MemoryRegion *address_space_translate(Ad
IOMMUTLBEntry iotlb;
MemoryRegionSection *section;
MemoryRegion *mr;
- hwaddr len = *plen;
for (;;) {
section = address_space_translate_internal(as->dispatch, addr, &addr, plen, true);
@@ -376,7 +375,7 @@ MemoryRegion *address_space_translate(Ad
iotlb = mr->iommu_ops->translate(mr, addr, is_write);
addr = ((iotlb.translated_addr & ~iotlb.addr_mask)
| (addr & iotlb.addr_mask));
- len = MIN(len, (addr | iotlb.addr_mask) - addr + 1);
+ *plen = MIN(*plen, (addr | iotlb.addr_mask) - addr + 1);
if (!(iotlb.perm & (1 << is_write))) {
mr = &io_mem_unassigned;
break;
@@ -387,10 +386,9 @@ MemoryRegion *address_space_translate(Ad
if (xen_enabled() && memory_access_is_direct(mr, is_write)) {
hwaddr page = ((addr & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE) - addr;
- len = MIN(page, len);
+ *plen = MIN(page, *plen);
}
- *plen = len;
*xlat = addr;
return mr;
}
View Git Blame Copy Permalink